Is it safe to reboot a server open to the internet?
Solution 1:
Out of the box, you are guaranteed that iptables will start before the interface is brought up by the order of the startup scripts. Look at the "chkconfig" line in each startup script and you will see the runlevels it is "on" when active, the start order, and the stop order.
You are not guaranteed that the interface will not be brought up if the iptables ruleset was not applied properly (or at all).
Example:chkconfig: 2345 08 92
This line states that the service in question will be active in runlevels 2, 3, 4, and 5, and will start at 8 and stop at 92. Anything with a greater "start" value will start only after this script completes, but this script erroring out is considered a completion and will not prevent downstream scripts from running.
Please note this answer applies to CentOS 6 and earlier, not necessarily to CentOS 7. I haven't personally researched 7 sufficiently to answer this question for 7.
Solution 2:
You can also use the ifup-post option in centos:
/etc/sysconfig/network-scripts/ifup-post
Called when any network device EXCEPT a SLIP device comes up. Calls /etc/sysconfig/network-scripts/ifup-routes to bring up static routes that depend on that device. Calls /etc/sysconfig/network-scripts/ifup-aliases to bring up aliases for that device. Sets the hostname if it is not already set and a hostname can be found for the IP for that device. Sends SIGIO to any programs that have requested notification of network events.
Could be extended to fix up nameservice configuration, call arbitrary scripts, etc, as needed.
This script runs and after the above ( ifup-route and ifup-aliases )it looks for ifup-local
if [ -x /sbin/ifup-local ]; then
/sbin/ifup-local ${DEVICE}
fi
So you can create this file and make sure it calls iptables again for example using iptables-restore:
iptables-restore < /etc/sysconfig/iptables
Solution 3:
A little addendum: to ensure the needed rules will be there next time you boot the server, save it with
sudo sh -c "iptables-save > /etc/iptables.rules"